nollprocent wrote: I've found that hacking resources are very hard to find via Google.

Bullshit.

I think you're going about this the wrong way. They won't have some base64 hash wrapping up your password in a neat easy to find file ready for you to crack. Now, if you're trying to get somebody's website by doing this, you're going the wrong way. The best way is to either A: Set up a keylogger, hardware or software.B: Social engineering.C: Scamming/phishing?

I would imagine it would be harder than not to hack a wordpress account (not familiar but I assume that's how it works) when they have some high profile users, you would have to go for the users, not the product.

nollprocent wrote:Hi, this might be a silly question but where do I find my hashed WordPress password? I've seen examples posted but where do they come from? Can others find my hashed password?

And since I came all the way here for an answer, here's a bonus question:

Where would you go to find information on stuff like this, that Google sorts out since it could be used for illegal business? I've found that hacking resources are very hard to find via Google.

Please be nice to the newbie.

All hashes are stored in the wordpress db (usually mySQL). Truthfully, they don't put it in an easy to find place, you will have to exploit the DB (which may have to be done indirectly) in order to gain this information.

Truth be told, google has a PLETHORA of information on this type of thing. IF you are searching for the right things.

sordidarchetype wrote:Define "unique".Although I don't necessarily disagree with what you recommend, that statement does seem a bit vague.

Unique being a password that will not be commonly used in password lists.Unique as in having a password 12+ characters.Unique as in having capital letters.Unique as in having lower-case letters.Uniuqe as in having numbers.Unique as in having symbols.

A password such as "bobjoe1" will easily be found in password lists.A unique password such as "L1quiiD-N!TroG3n" will not be found in password lists as easily.

See, if a web-admin hashes passwords into MD5 format, and an attacker manages to pull off a SQLi dump, and see the passwords, they will be in the hashed MD5 format. Then the attacker must run a dictionary attack on those passwords, with a tool such as JTR or Hashcat. If your password is very 'unique', you will have better odds of your passwords hash not being reversed. If your password isn't in their dictionary, you will still remain safe. If your password is not unique, the odds of it being in their dictionary is greatly increased, as well as your accounts safety. This is why most sites have a set recommendation level for password input before you can complete registration.

1. No system is safe.2. Aim for the the impossible.3. Have fun in cyberspace and meatspace.

sordidarchetype wrote:Define "unique".A unique password such as "L1quiiD-N!TroG3n" will not be found in password lists as easily.

This is actually a misconception, and that is why I asked.Unfortunately, liquidnitrogen can be found in some hash dictionaries. Now, traditionally, leetspeak rules for cracking have been very poor, and that password may have been a bit harder to crack. However, I just finished a new leetspeak ruleset to take care of this issue and actually discovered more complex combinations. It will be rolling out with the next official release of hashcat.

The only thing that makes L1quiiD-N!TroG3n difficult is actually the double "i" in the first word. There ARE rules to catch this, but they are generally not run often without specific knowledge by the attacker.

The rest of that password is just leetspeek transforms applied to dictionary words, case permutations, and space substitution with "!" (which is just as common as substitution with "_" or "-" ). All of these sequences have rulesets written for them in hashcat (at the least).

Remember, at this past defcon we were cracking passwords with mixed case alpha numeric sequences that were as much as 24 characters long. This was possible because the types of patterns users tend to pick are predictable.

All that being said, your recommendations are sound, and would help to increase attack times if nothing else.

-Ninjex- wrote:It's not a misconception that "L1quiiD-N!TroG3n" will be more secure than "bobjoe1", that is my argument. If it wasn't more secure, we wouldn't have such a difficult time creating passwords for hts

I just checked with a few of my friends, and at least three of them have liiquid-nitrogen and liquiid-nitrogen in their dictionaries.

Just to put this in perspective, one of them ran a quick test against an md5 of L1quiiD-N!TroG3n using the new leetspeak rules and it fell within 10 minutes.